4 files changed, 62 insertions, 83 deletions

diff --git a/nizk/stage1.go b/nizk/stage1.go
index 2342e17..4cd9547 100644
--- a/nizk/stage1.go
+++ b/nizk/stage1.go
@@ -3,16 +3,13 @@ package nizk
 import . "kesim.org/seal/common"
 
 type Stage struct {
+	bit *Bit
+
 	x *Scalar
 	r *Scalar
 
 	com *StageCommitment
 	rev *StageReveal
-
-	prf1 *Stage1Proof
-	prf2 *Stage2Proof
-
-	bit *Bit
 }
 
 type StageCommitment struct {
@@ -21,8 +18,8 @@ type StageCommitment struct {
 }
 
 type StageReveal struct {
-	Z *Point
 	Y *Point
+	Z *Point
 }
 
 // Represents the proof of statements of the following form:
@@ -45,18 +42,7 @@ func (b *Bit) stage(x, r *Scalar) *Stage {
 	}
 }
 
-func (b *Bit) CommitStage1(Xs ...*Point) (c *Stage, s *StageCommitment) {
-	x := Curve.RandomScalar()
-	r := Curve.RandomScalar()
-	return b.CommitStage1FromScalars(x, r, Xs...)
-}
-
-func (b *Bit) CommitStage1FromScalars(x, r *Scalar, Xs ...*Point) (s *Stage, c *StageCommitment) {
-	s = b.stage(x, r)
-	return s, s.commit(false, Xs...)
-}
-
-func (s *Stage) commit(lost bool, Xs ...*Point) *StageCommitment {
+func (s *Stage) commit(Xs ...*Point) *StageCommitment {
 	if s.com != nil {
 		return s.com
 	}
@@ -68,18 +54,31 @@ func (s *Stage) commit(lost bool, Xs ...*Point) *StageCommitment {
 	return s.com
 }
 
-func (s *Stage) reveal(Xs ...*Point) (r *StageReveal, e error) {
+func (b *Bit) Stage(Xs ...*Point) (c *Stage, s *StageCommitment) {
+	x := Curve.RandomScalar()
+	r := Curve.RandomScalar()
+	return b.StageFromScalars(x, r, Xs...)
+}
+
+func (b *Bit) StageFromScalars(x, r *Scalar, Xs ...*Point) (s *Stage, c *StageCommitment) {
+	s = b.stage(x, r)
+	return s, s.commit(Xs...)
+}
+
+func (s *Stage) reveal(prev_true bool, Xs ...*Point) (r *StageReveal, e error) {
 	// TODO: Calculate Y based on the Xs and our own X_i
 	// as Π_(i<k) X_k / Π_(i>k) X_k
 	// For now:
 	Y := G.Exp(Curve.RandomScalar())
 
 	r = &StageReveal{Y: Y}
-	if s.bit.IsSet() {
+
+	if prev_true && s.bit.IsSet() {
 		r.Z = s.com.R.Exp(s.x)
 	} else {
 		r.Z = Y.Exp(s.x)
 	}
+
 	return r, e
 }
 
@@ -89,10 +88,10 @@ func (s *Stage) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof, e
 	for _, s := range []**Scalar{&r1, &r2, &ρ1, &ρ2, &ω} {
 		*s = Curve.RandomScalar()
 	}
-	c := s.commit(false)
+	c := s.commit()
 	bc := s.bit.com
 
-	rev, e = s.reveal(Xs...)
+	rev, e = s.reveal(true, Xs...)
 	if e != nil {
 		return nil, nil, e
 	}
@@ -146,7 +145,6 @@ func (s *Stage) RevealStage1(Xs ...*Point) (rev *StageReveal, pr *Stage1Proof, e
 	}
 
 	s.rev = rev
-	s.prf1 = pr
 	return rev, pr, e
 }
 
diff --git a/nizk/stage1_test.go b/nizk/stage1_test.go
index d4e68bf..9c6d957 100644
--- a/nizk/stage1_test.go
+++ b/nizk/stage1_test.go
@@ -13,8 +13,8 @@ func TestStage1Simple(t *testing.T) {
 	bc1, _ := b1.Commit()
 	bc2, _ := b2.Commit()
 
-	s1, c1 := b1.CommitStage1()
-	s2, c2 := b2.CommitStage1()
+	s1, c1 := b1.Stage()
+	s2, c2 := b2.Stage()
 	r1, pr1, _ := s1.RevealStage1() // Note: no Xs.
 	r2, pr2, _ := s2.RevealStage1() // Note: no Xs.
 	if !bc1.VerifyStage1(c1, r1, pr1) {
@@ -40,8 +40,8 @@ func TestStage1FromScalars(t *testing.T) {
 	bc1, _ := b1.Commit()
 	bc2, _ := b2.Commit()
 
-	s1, c1 := b1.CommitStage1FromScalars(r, x)
-	s2, c2 := b2.CommitStage1FromScalars(x, r)
+	s1, c1 := b1.StageFromScalars(r, x)
+	s2, c2 := b2.StageFromScalars(x, r)
 	r1, pr1, _ := s1.RevealStage1() // Note: no Xs
 	r2, pr2, _ := s2.RevealStage1() // Note: no Xs
 	if !bc1.VerifyStage1(c1, r1, pr1) {
diff --git a/nizk/stage2.go b/nizk/stage2.go
index 8747ebf..f565ad0 100644
--- a/nizk/stage2.go
+++ b/nizk/stage2.go
@@ -4,18 +4,6 @@ import (
 	. "kesim.org/seal/common"
 )
 
-func (b *Bit) CommitStage2(lost bool, prev *Stage) (s *Stage, c *StageCommitment) {
-	x := Curve.RandomScalar()
-	r := Curve.RandomScalar()
-	return b.CommitStage2FromScalars(lost, prev, x, r)
-}
-
-func (b *Bit) CommitStage2FromScalars(lost bool, prev *Stage, x, r *Scalar) (s *Stage, c *StageCommitment) {
-	s = b.stage(x, r)
-	c = s.commit(lost)
-	return
-}
-
 // Represents the proof of a statement of the following form:
 //
 //	( Z=g^(x*y) && X=g^x && Y=g^y && Z_=g^(x_*y_) && X_=g^x_ && Y_=g^y_ )	// case "none"
@@ -31,7 +19,7 @@ type Stage2Proof struct {
 	R3 [2]*Scalar
 }
 
-func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proof, e error) {
+func (s *Stage) RevealStage2(prev_true bool, prev *Stage, Xs ...*Point) (rev *StageReveal, pr *Stage2Proof, e error) {
 	var (
 		e1, e1_ [3]Bytes
 		e2, e2_ [3]Bytes
@@ -48,24 +36,17 @@ func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proo
 		}
 	}
 
-	c := s.commit(lost)
+	c := s.com
 	bc := prev.bit.com
 	pc := prev.com
 	rvp := prev.rev
 
-	// TODO: Calculate Y based on the Xs and our own X_i
-	// as Π_(i<k) X_k / Π_(i>k) X_k
-	// For now:
-	Y := G.Exp(Curve.RandomScalar())
-
-	rev = &StageReveal{Y: Y}
-	if s.bit.IsSet() {
-		rev.Z = c.R.Exp(s.x)
-	} else {
-		rev.Z = rev.Y.Exp(s.x)
+	rev, e = s.reveal(prev_true, Xs...)
+	if e != nil {
+		return nil, nil, e
 	}
 
-	if lost {
+	if !prev_true {
 		e1[0] = G.Exp(r1[0]).Mul(c.X.Exp(w[0]))
 		e1[1] = G.Exp(r1[1]).Mul(pc.X.Exp(w[0]))
 		e1[2] = G.Exp(r1[2]).Mul(bc.A.Exp(w[0]))
@@ -146,7 +127,7 @@ func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proo
 	ch := Challenge(points...)
 	pr = &Stage2Proof{}
 
-	if lost {
+	if !prev_true {
 		pr.Ch[0] = w[0]
 		pr.Ch[1] = w[1]
 		pr.Ch[2] = ch.Sub(w[0]).Sub(w[1])
@@ -195,39 +176,38 @@ func (s *Stage) proof2(lost bool, prev *Stage) (rev *StageReveal, pr *Stage2Proo
 		}
 	}
 
-	s.prf2 = pr
 	return rev, pr, e
 }
 
-func (c *Commitment) VerifyStage2(pcom, ccom *StageCommitment, prev, crev *StageReveal, p *Stage2Proof) bool {
+func (c *Commitment) VerifyStage2(c1, c2 *StageCommitment, r1, r2 *StageReveal, p *Stage2Proof) bool {
 	var (
 		e1, e1_ [3]Bytes
 		e2, e2_ [3]Bytes
 		e3, e3_ [2]Bytes
 	)
-	e1[0] = G.Exp(p.R1[0]).Mul(ccom.X.Exp(p.Ch[0]))
-	e1[1] = G.Exp(p.R1[1]).Mul(pcom.X.Exp(p.Ch[0]))
+	e1[0] = G.Exp(p.R1[0]).Mul(c2.X.Exp(p.Ch[0]))
+	e1[1] = G.Exp(p.R1[1]).Mul(c1.X.Exp(p.Ch[0]))
 	e1[2] = G.Exp(p.R1[2]).Mul(c.A.Exp(p.Ch[0]))
 
-	e1_[0] = ccom.R.Exp(p.R1[0]).Mul(crev.Z.Exp(p.Ch[0]))
-	e1_[1] = pcom.R.Exp(p.R1[1]).Mul(prev.Z.Exp(p.Ch[0]))
+	e1_[0] = c2.R.Exp(p.R1[0]).Mul(r2.Z.Exp(p.Ch[0]))
+	e1_[1] = c1.R.Exp(p.R1[1]).Mul(r1.Z.Exp(p.Ch[0]))
 	e1_[2] = c.B.Exp(p.R1[2]).Mul(c.C.Div(G).Exp(p.Ch[0]))
 
-	e2[0] = G.Exp(p.R2[0]).Mul(ccom.X.Exp(p.Ch[1]))
-	e2[1] = G.Exp(p.R2[1]).Mul(pcom.X.Exp(p.Ch[1]))
+	e2[0] = G.Exp(p.R2[0]).Mul(c2.X.Exp(p.Ch[1]))
+	e2[1] = G.Exp(p.R2[1]).Mul(c1.X.Exp(p.Ch[1]))
 	e2[2] = G.Exp(p.R2[2]).Mul(c.A.Exp(p.Ch[1]))
 
-	e2_[0] = crev.Y.Exp(p.R2[0]).Mul(crev.Z.Exp(p.Ch[1]))
-	e2_[1] = pcom.R.Exp(p.R2[1]).Mul(prev.Z.Exp(p.Ch[1]))
+	e2_[0] = r2.Y.Exp(p.R2[0]).Mul(r2.Z.Exp(p.Ch[1]))
+	e2_[1] = c1.R.Exp(p.R2[1]).Mul(r1.Z.Exp(p.Ch[1]))
 	e2_[2] = c.B.Exp(p.R2[2]).Mul(c.C.Exp(p.Ch[1]))
 
-	e3[0] = G.Exp(p.R3[0]).Mul(ccom.X.Exp(p.Ch[2]))
-	e3[1] = G.Exp(p.R3[1]).Mul(pcom.X.Exp(p.Ch[2]))
+	e3[0] = G.Exp(p.R3[0]).Mul(c2.X.Exp(p.Ch[2]))
+	e3[1] = G.Exp(p.R3[1]).Mul(c1.X.Exp(p.Ch[2]))
 
-	e3_[0] = crev.Y.Exp(p.R3[0]).Mul(crev.Z.Exp(p.Ch[2]))
-	e3_[1] = prev.Y.Exp(p.R3[1]).Mul(prev.Z.Exp(p.Ch[2]))
+	e3_[0] = r2.Y.Exp(p.R3[0]).Mul(r2.Z.Exp(p.Ch[2]))
+	e3_[1] = r1.Y.Exp(p.R3[1]).Mul(r1.Z.Exp(p.Ch[2]))
 
-	points := []Bytes{G, c.A, c.B, c.C, ccom.R, ccom.X, crev.Y, crev.Z, pcom.R, pcom.X, prev.Y, prev.Z}
+	points := []Bytes{G, c.A, c.B, c.C, c2.R, c2.X, r2.Y, r2.Z, c1.R, c1.X, r1.Y, r1.Z}
 	points = append(points, e1[:]...)
 	points = append(points, e2[:]...)
 	points = append(points, e3[:]...)
diff --git a/nizk/stage2_test.go b/nizk/stage2_test.go
index 4d507d7..54f718d 100644
--- a/nizk/stage2_test.go
+++ b/nizk/stage2_test.go
@@ -3,25 +3,26 @@ package nizk
 import (
 	"testing"
 
-	// . "kesim.org/seal/common"
+	. "kesim.org/seal/common"
 )
 
 func TestStage2Simple(t *testing.T) {
-/*
-	id := Curve.RandomScalar()
-	b1 := NewBit(id, true)
-	b2 := NewBit(id, true)
+	id1 := Curve.RandomScalar()
+	id2 := Curve.RandomScalar()
+	b1 := NewBit(id1, true)
+	b2 := NewBit(id2, true)
 
-	_, _ = b1.Commit()
-	s1, c1 := b1.CommitStage1()
-	curr, _ := b2.Commit()
-	_, c2, p2 := b2.CommitStage2(true, s1)
+	s1, c1 := b1.Stage()
+	r1, _, _ := s1.RevealStage1()
 
-	if !curr.VerifyStage2(c1, c2, r1, r2, p2) {
+	bc2, _ := b2.Commit()
+	s2, c2 := b2.Stage()
+	r2, p2, e := s2.RevealStage2(true, s1)
+	if e != nil {
+		t.Fatalf("e: %v", e)
+	}
+	if !bc2.VerifyStage2(c1, c2, r1, r2, p2) {
+		t.Fatalf("failed to verify!\nbc2: %#v\nc1: %#v\nc2: %#v\nr1: %#v\nr2: %#v\np2: %#v\n",
+			bc2, c1, c2, r1, r2, p2)
 	}
-	*/
-}
-
-func TestStage2FromScalar(t *testing.T) {
-
 }